CERT C++: MEM30-C

Accessing previously freed pointer occurs when you attempt to access a block of memory after freeing the block by using the free function.

When a pointer is allocated dynamic memory by using malloc, calloc or realloc, it points to a memory location on the heap. When you use the free function on this pointer, the associated block of memory is freed for reallocation and the pointer becomes a dangling pointer. Attempting to access this block of memory by dereferencing the dangling pointer can result in unpredictable behavior or a segmentation fault.

The fix depends on the root cause of the defect. Determine if you intended to free the memory later or allocate another memory block to the pointer before access.

As a best practice, after you free a memory block, assign the corresponding pointer to NULL. Before dereferencing pointers, check them for NULL values and handle the error. In this way, you are protected against accessing a freed block.

#include <stdlib.h>
#include <stdio.h>
 int increment_content_of_address(int base_val, int shift)
   { 
    int j;
    int* pi = (int*)malloc(sizeof(int));
    if (pi == NULL) return 0;

    *pi = base_val;
    free(pi);

    j = *pi + shift; //Noncompliant

    return j;
   }

The free statement releases the block of memory that pi refers to. Therefore, dereferencing pi after the free statement is not valid.

One possible correction is to free the pointer pi only after the last instance where it is accessed.

#include <stdlib.h>

int increment_content_of_address(int base_val, int shift)
{
    int j;
    int* pi = (int*)malloc(sizeof(int));
    if (pi == NULL) return 0;

    *pi = base_val;

    j = *pi + shift;
    *pi = 0;

    /* Fix: The pointer is freed after its last use */
    free(pi);               
    return j;
}

Freeing previously freed pointer occurs when you attempt to free the memory allocated to a pointer after already freeing the pointer by using the free function.

Attempting to free the memory associated with a previously freed pointer might corrupt the memory management of the program and cause a memory leak. This defect might allow an attacker to access the memory and execute arbitrary code.

To avoid this defect, assign pointers to NULL after freeing them. Check the pointers for NULL value before attempting to access the memory associated with the pointer. In this way, you are protected against accessing a freed block.

#include <stdlib.h>
#include <stdio.h>
int getStatus();
void double_deallocation(void)
{
	int* pi = (int*)malloc(sizeof(int));
	if (pi == 0) return;

	*pi = 2;
	/*...*/
	if(getStatus()==1)
	{
		/*...*/
		free(pi);
	}
	free(pi); //Noncompliant
}

The second free statement attempts to release the block of memory that pi refers to, but the pointer pi might already be freed in the if block of code. This second free statement might cause a memory leak and security vulnerabilities in the code. Polyspace^® flags the second free statement.

One possible correction is to assign freed pointers to NULL and to check pointers for NULL before freeing them.

#include <stdlib.h>
#include <stdio.h>
int getStatus();
void double_deallocation(void)
{
	int* pi = (int*)malloc(sizeof(int));
	if (pi == 0) return;

	*pi = 2;
	/*...*/
	if(getStatus()==1)
	{
		/*...*/
		if(pi!=NULL)
		{
			free(pi);
			pi= NULL;
		}
	}
	/*...*/
	if(pi!=NULL)
	{
		free(pi);
		pi= NULL;
	} //Compliant
}

In this case, the memory allocated to pointer pi is freed only if it is not already freed.